Password hell is ending – but the new login future has a terrifying catch

The UK’s National Cyber Security Centre is urging people to move away from passwords and towards passkeys, which is being promoted as a safer, simpler future for online security. But while passkeys may reduce hacking and phishing risks, Ian Copeland warns that they also shift more control of our digital identities into the hands of large technology platforms. Here, he explains how passkeys work, why the technology is gaining momentum and the hidden problems that can emerge when access breaks down

All of us have forgotten passwords at some point. We’ve reset them, reused them, stored them badly and sworn at websites demanding one uppercase letter, one number, one symbol, one ancient rune and a blood sample.

My personal pet hates are maximum password lengths and banned characters, both signs of a poorly coded security process.

So, when the UK’s National Cyber Security Centre (NCSC) says it is time to move away from passwords and adopt passkeys, the instinctive response is relief. Good, kill the password. It’s had a fair run and made everyone miserable in the process.

And the NCSC is right in saying that passkeys are, from a security perspective, a serious improvement over passwords.

Passkeys use public-key cryptography, which means your device can prove it holds the right key without sending that key to the website. You don’t need to create it, type it, remember it or write it down.

Of course, if malware or spyware controls the device you use to approve logins, you’re going to have a problem, but passkeys are still much harder to steal than traditional passwords. Even if a website you use gets breached, the attacker still can’t access it.

The NCSC now says they should be consumers’ first choice where available. Its new guidance says passkeys are generally more secure than even strong passwords combined with 2FA. It also says more than 50 per cent of active UK Google services users already have one registered.

I personally agree that you should use them, but there are some things you should know first.

The old login problem was clear. Someone could guess your password, trick you into entering it on a fake site or steal it from a breach, then try it everywhere else to see what they could access.

Passkeys solve a lot of that, making logging in safer, but they also make recovery much more important. If you adopt passkeys and your recovery details are stale, you may have made your front door stronger while losing the spare key. In other words, passwords fail when criminals can get in, while passkeys fail when you cannot.

In system design, removing one weak point can increase pressure elsewhere. With passkeys, pressure moves away from the login box and towards the recovery system: the email address, phone number, cloud account, backup code, device list, customer support process and policy control that decide whether you can get back in when life becomes untidy.

And it does, sometimes, become untidy. You lose your phone, your battery dies at just the wrong moment, your recovery email belongs to an account you stopped using three jobs ago, your phone number changed, your Apple ID is locked, Google thinks something has tripped a policy or Microsoft wants proof from a device you no longer own.

At that point, the recovery process is your problem.

And that raises a bigger question: who actually controls that recovery process?

The uncomfortable detail sits inside a boring phrase: “credential manager”. The NCSC says passkeys should be created, saved, stored and managed by a credential manager. In normal language, that means the thing on your device that remembers and protects them. For most people, the NCSC says this will be the default one built into the device, such as Apple Passwords, Google Password Manager, Samsung Pass or Windows Hello.

The same companies that already control your phone, cloud storage, browser, email, photos and videos, app store, device backups and purchases are now becoming the default custodians of your authentication layer too.

This is where the debate becomes more interesting than “passwords are bad, passkeys are good”.

For most people, “use passkeys” means “trust Apple, Google or Microsoft to store, sync and recover the keys to your digital life”.

That is likely to still be the right trade. It’s probably fair to say that Apple, Google and Microsoft are better at securing cryptographic credentials than the average person is at inventing memorable passwords.

The question is what happens when they become the recovery layer for everything.

A recent Apple story illustrates the fear more cleanly.

Dr Paris Buttfield-Addison, a long-time Apple developer, author and organiser of the /dev/world developer conference, wrote that he had been locked out of his Apple Account after attempting to redeem a gift card bought from a major bricks-and-mortar retailer.

The consequences, as reported by AppleInsider and The Register, were not limited to one failed purchase. Buttfield-Addison said he lost access to iCloud, iMessage, years of family photos, software purchases, developer resources and the normal functioning of his Apple devices.

The account was eventually restored after five days, but only once Apple’s Executive Relations team stepped in following significant press coverage. Apple has never explained why it was locked in the first place, and most users do not have journalists on their side.

If your authentication increasingly lives inside one vendor’s ecosystem, that vendor’s view of your account health becomes part of your security model.

Who can prove you are you? Who can help you recover? Who can decide your account is no longer in good standing, and how much of your life sits behind that decision?

Assuming you do ensure your recovery details are always well maintained, and that your chosen provider behaves reasonably, stronger recovery still creates another uncomfortable question — this time around privacy.

Much of the advice around passkeys now comes down to making sure your recovery information is not only accurate but extensive.

Have you already provided your chosen supplier with every detail about yourself? Phone number, alternate email, address, payments, ID? If you can answer yes to that, this issue probably won’t bother you.

If, like me, however, you’re more privacy-minded, this all feels like a bit of a trap. Many people have spent many years telling others not to overshare personal data. Now the practical security advice is to make sure the world’s largest technology companies have enough accurate information to let you back into your life.

This is an argument against sleepwalking into passkeys.

The passwordless future is probably the right direction, but it comes with dull instructions nobody wants to read. 

Pick the credential manager that fits your life. For privacy-focused users, that may mean looking at Proton Pass, Bitwarden, Vaultwarden or KeePassXC while checking carefully how each handles passkeys on the devices and browsers you actually use.

Set up more than one passkey for accounts that matter, keep a hardware key as a fallback for anything you genuinely cannot afford to lose and, before you migrate anything, make sure your recovery details are current.

The front door is getting stronger, and that’s a good thing, but before handing over the keys to your digital life, it’s worth making sure the spare set still belongs to you.

Ian Copeland is a British technologist, entrepreneur and author with more than two decades’ experience designing complex enterprise IT and digital systems. Founder of a UK-based digital agency and author of The Exodus Directive, he specialises in artificial intelligence, blockchain infrastructure, quantum computing and digital identity. As Techno-Sociology & Futures Correspondent for The European, he writes on AI governance, decentralised systems, automation, digital power structures and the long-term societal consequences of emerging technologies.

READ MORE: ‘Could AI be making social media feel more human than it is?‘.  Meta’s Moltbook and Manus deals may look separate, but together they point to a future in which synthetic engagement becomes harder to spot, easier to scale and more commercially useful, writes Ian Copeland, who examines what happens when online interaction no longer needs to be fully human to feel real.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

_{Main Image:  Towfiqu barbhuiya/Pexels}